Date: Tue, 22 Sep 2009 09:51:05 -0300 From: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br> To: Aflatoon Aflatooni <aaflatooni@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 6.3 installation hacked Message-ID: <4AB8C839.3000905@fcdl-sc.org.br> In-Reply-To: <196554.24096.qm@web56207.mail.re3.yahoo.com> References: <196554.24096.qm@web56207.mail.re3.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Aflatoon Aflatooni escreveu: > My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. > > This is what I see in my http error log: > > [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down > [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations > wget: not found > Can't open perl script "/tmp/shit.pl": No such file or directory > wget: not found > Can't open perl script "zuo.txt": No such file or directory > curl: not found > Can't open perl script "zuo.txt": No such file or directory > lwp-download: not found > Can't open perl script "zuo.txt": No such file or directory > lynx: not found > Can't open perl script "zuo.txt": No such file or directory > zuo.txt 11 kB 56 kBps > ... It does not look they entered using any apache bug. Probably you had a world writable directory and they managed to access it by ftp (or any other way) and sent a file containing commands to it. Once it is there, they've 'called' the file using apache to execute whatever was in there (probably binding a shell to some port) in order to get access to the box. -- Leandro Quibem Magnabosco.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB8C839.3000905>